Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d32d6c9

Browse files
author
Robert Marsh
committed
WIP: more iterator cases
1 parent d50dd09 commit d32d6c9

1 file changed

Lines changed: 129 additions & 0 deletions

File tree

  • cpp/ql/src/semmle/code/cpp/models/implementations

cpp/ql/src/semmle/code/cpp/models/implementations/Iterator.qll

Lines changed: 129 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,97 @@ class IteratorFieldOperator extends Operator, TaintFunction {
8686
}
8787
}
8888

89+
class IteratorAddOperator extends Operator, TaintFunction {
90+
IteratorAddOperator() {
91+
(
92+
this.hasName("operator+")
93+
) and
94+
(
95+
this
96+
.getACallToThisFunction()
97+
.getArgument(0)
98+
.getFullyConverted()
99+
.getUnderlyingType()
100+
.(PointerType)
101+
.getBaseType() instanceof LegacyIterator or
102+
this
103+
.getACallToThisFunction()
104+
.getArgument(0)
105+
.getFullyConverted()
106+
.getUnderlyingType()
107+
.(PointerType)
108+
.getBaseType() instanceof LegacyIterator
109+
)
110+
}
111+
112+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
113+
(
114+
input.isParameter(0) or
115+
input.isParameter(1)
116+
) and
117+
output.isReturnValue()
118+
}
119+
}
120+
121+
class IteratorSubOperator extends Operator, TaintFunction {
122+
IteratorSubOperator() {
123+
(
124+
this.hasName("operator-")
125+
) and
126+
this
127+
.getACallToThisFunction()
128+
.getArgument(0)
129+
.getFullyConverted()
130+
.getUnderlyingType()
131+
.(PointerType)
132+
.getBaseType() instanceof LegacyIterator and
133+
not this
134+
.getACallToThisFunction()
135+
.getArgument(1)
136+
.getFullyConverted()
137+
.getUnderlyingType()
138+
.(PointerType)
139+
.getBaseType() instanceof LegacyIterator
140+
}
141+
142+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
143+
(
144+
input.isParameter(0) or
145+
input.isParameter(1)
146+
) and
147+
output.isReturnValue()
148+
}
149+
}
150+
151+
class IteratorDiffOperator extends Operator, TaintFunction {
152+
IteratorDiffOperator() {
153+
(
154+
this.hasName("operator-")
155+
) and
156+
this
157+
.getACallToThisFunction()
158+
.getArgument(0)
159+
.getFullyConverted()
160+
.getUnderlyingType()
161+
.(PointerType)
162+
.getBaseType() instanceof LegacyIterator and
163+
not this
164+
.getACallToThisFunction()
165+
.getArgument(1)
166+
.getFullyConverted()
167+
.getUnderlyingType()
168+
.(PointerType)
169+
.getBaseType() instanceof LegacyIterator
170+
}
171+
172+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
173+
(
174+
input.isParameter(0) or
175+
input.isParameter(1)
176+
) and
177+
output.isReturnValue()
178+
}
179+
}
89180
class IteratorPointerDereferenceMemberOperator extends MemberFunction, TaintFunction {
90181
IteratorPointerDereferenceMemberOperator() {
91182
this.hasName("operator*") and
@@ -124,3 +215,41 @@ class IteratorFieldMemberOperator extends Operator, TaintFunction {
124215
output.isReturnValue()
125216
}
126217
}
218+
219+
class IteratorMemberBinaryOperator extends MemberFunction, TaintFunction {
220+
IteratorMemberBinaryOperator() {
221+
(
222+
this.hasName("operator+") or
223+
this.hasName("operator-")
224+
) and
225+
this.getDeclaringType() instanceof LegacyIterator
226+
}
227+
228+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
229+
(
230+
input.isQualifierObject() or
231+
input.isParameter(0)
232+
) and
233+
output.isQualifierObject()
234+
}
235+
}
236+
237+
class IteratorMemberAssignOperator extends MemberFunction, TaintFunction {
238+
IteratorMemberAssignOperator() {
239+
(
240+
this.hasName("operator+=") or
241+
this.hasName("operator-=")
242+
) and
243+
this.getDeclaringType() instanceof LegacyIterator
244+
}
245+
246+
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
247+
(
248+
input.isQualifierObject() or
249+
input.isParameter(0)
250+
) and
251+
output.isQualifierObject()
252+
or
253+
output.isReturnValue()
254+
}
255+
}

0 commit comments

Comments
 (0)